We always get lots of questions about our annual Worst Passwords List, so I thought I’d tackle some of these questions here.
What exactly are these 25 Worst Passwords? How do you collect passwords?
Technically, these are the most common 25 passwords we found from our searches of public posts or “dumps” of plain text (rather than hashed or encrypted) passwords posted on a wide variety of sites on the Internet during the calendar year 2015. We found over 2 million such passwords in 2015 from our searches. Most of these password dumps would be from hacks, breaches, or leaks of password databases on servers supporting consumer web sites. We make an effort to ensure these are unique passwords (so we are not double counting the same posts from different sources).
Why are these the “Worst Passwords”?
We call them the “worst passwords” because when it comes to password security, using a popular password is a very bad thing. Since the most popular passwords are so common, these popular passwords would be among the very first tried by any hacker or malicious “cracking” program. When you choose a password, you want something unique, complex, and unusual, and you want to make sure you use different passwords for different sites.
How popular are the 25 Worst Passwords?
We estimate about 3% of people are using these 25 worst passwords, which is consistent with our prior samples, but the trend does seem to point toward a smaller percentage of people using them each year
Why do you publish the Worst Password list?
We’re trying to educate people about the risks of choosing convenient but weak passwords. We want to encourage people to use longer, stronger, more complex passwords or passphrases. We also want to encourage people to use different passwords for different websites. And obviously we know that once people start following these better practices, they are more likely to follow security experts’ recommendations and use a password manager like our SplashID for consumers and TeamsID for organizations and families.
How long have you been researching Worst Passwords?
Over 5 years, dating all the way back to 2011
Do you have other information about your research?
Yes, you can get our free ebook on results from our 5 years of researching common passwords
Of the two million leaked passwords the 2015 list is sourced from, were there any sites in particular that provided a large percentage? Are adult sites included?There is a pretty wide variety of sites represented with no one leak representing a large portion of the sample. We make an effort to exclude adult sites since those tend to be overweighted in leaks, and the kinds of passwords people use on adult sites tend to be different from passwords they use on other sites (i.e., a lot more naughty!).
How has the importance of an individual password evolved as people’s information is increasingly exposed as a result of attacks on corporate databases outside of their control?Since exposure is constantly increasing — more sites being hacked, more passwords at risk — what’s becoming more and more important over time is to use different passwords for different sites. It’s almost inevitable that some of your logins somewhere will be exposed. You just want to make sure that exposure doesn’t have a cascading effect on your other logins, especially at more valuable sites and services (e.g., email and financial services).